Sponsored by..

Tuesday 28 January 2014

Ongoing Fake flash update via .js injection and SkyDrive, Part II

A few days ago I wrote about some ongoing injection attacks that were leading to Adscend Media LLC ads. Adscend say that the affiliate using their ad system was banned, although the ad code is still showing in the injection attacks themselves (update: you can see their take on this in the comments below). F-Secure also covered the attacks from a different aspect.

Although these injection attacks have died down a little they are still ongoing, but usually by the time I get to have a look at them part of the infection chain has been cleaned up. However, this infection is still current and shows what it going on at the moment.

In the case the code has been injected into the legitimate website sotralu.fr (report here) by altering the site's JS files, for example [donotclick]www.sotralu.fr/local/cache-js/fc1bd2678ffcf630f1ab8e56bda3ce7b.js

The code is fairly distinctive being attached at the bottom of the .js file, and it has a limited and fairly generic set of results at VirusTotal.

In this case the injection attempts to run a script from [donotclick]adsrr.home.pl/_vti_txt/rNn3m1K9.php?id=47276976 which in turn tries to download most of its content from [donotclick]adsrr.home.pl/_vti_txt/imgfiles/b.html (report here) which presents itself as a fake Flash update banner.

As well as the Adscend Media ad, this directs the user to download flashplayerinstaller.exe from [donotclick-https]skydrive.live.com/download.aspx?cid=cafe68e3dcbe2d33&resid=CAFE68E3DCBE2D33%21111 which has a VirusTotal detection rate of just 2/50. The Malwr analysis of this file shows a subsequent download from [donotclick-https]skydrive.live.com/download.aspx?cid=cafe68e3dcbe2d33&resid=CAFE68E3DCBE2D33%21112 which has a VirusTotal detection rate of 7/50 but a rather inconclusive Malwr report showing that it modifies the computer to run at startup.

Other researchers might want to grab those files and have a poke at them, so I haven't reported them yet. I'd be interested if anybody can get more intel on whoever is behind it.

The use of SkyDrive is sneaky, but you might decide that it's the sort of thing that you want to block in your corporate environment anyway. It might just be that the best way to counter this sort of attack is to apply a bit of user education about the threat.


gnznroses said...
This comment has been removed by the author.
Unknown said...


To clarify further, these attacks are not using our advertising services in ANY way. They simply have copied the Javascript code of our content-locking product and used it for their own purposes. Therefore to call this "an Adscend Media ad" is not accurate. In the previous case, there was a commented-out line of Javascript code (where they had replaced our code with their new code), and we were able to see an account number of the person who copied our script, and we suspended the account, however at no point has our real service been used to spread malware. If a person were to copy HTML source code from this page, and use it on a blog that infects users with malware, it would be damaging to your name to repeatedly tie you to something over which you have no control, and that is what is happening here with our company.

Jeremy Bash
CoFounder & CTO